PHWinfo - Afficher un message

14/03/2008, 20h56

On Mar 14, 2008, at 1:44 PM, TG wrote:

>
> What error are you getting? Maybe there's some way to fix that too.

The error I get without checking the row count is this:

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'order by LName' at line 1
>
>
> Just remember that errors and notices are like pain. It usually means
> there's something wrong. If you're getting an error, there may be a
> better
> way of doing waht you're doing.
>
> Ideally, you should get zero results if there's no match in the user
> database.
>
> Typically for a user lookup, you might do something like this:
>
> SELECT <whatever> FROM usertable WHERE username = '<username>' AND
> password =
> '<password>'

Which is very simular to what I have:

$loginQuery = "SELECT * FROM current WHERE loginName='".$user."' AND
loginPassword='".$password."' LIMIT 0,1;";
$loginResult = mysqli_query($link1, $loginQuery) or die("Wrong data
supplied or database error" .mysqli_error($link1));

>
>
> If you get zero results, then they don't exist OR they entered the
> wrong
> password.
>
> If you get more than one result, then you have a duplicate account.
>
> If you have duplicate usernames, then you won't get multiple matches
> unless
> the passwords are also duplicated.
>
> Say, for example, you have a duplicated username but different
> passwords:
>
> user: me
> pass: pass1
>
> user: me
> pass: pass2
>
>
> Then login will succeed if they use me/pass1 OR me/pass2 but each
> way,
> you'll still only get one result from your db query.
>
>
> btw.. before someone rails me for not mentioning security...
> typically you'd
> store the passwords encrypted or hashed (one-way md5 or something)
> then you
> encrypt or hash the password the same when the user is logging in and
> compare them to the DB. That way, you don't store the password in
> plaintext and you can still check to see if the right password is
> entered.

Which I have complete with some $salt added

>
>
>
> example:
>
> user: me
> pass: pass1
> md5(pass1): laksro2i3 (fake md5.. lazy

>
> user logs in with:
>
> user: me
> pass: pass1
>
> system runs md5(pass1) and gets laksro2i3 again. it matches what's
> in the
> DB, so therefore is the correct password.
>
>
> Anyway.. main point is.. if you're getting errors, try to fix
> them. If
> you're getting multiple results on your user check, you may have bad
> input/uniqueness checking or you may be implementing your user
> system not
> as logically as you could.

It was the error, rather then multiple accounts that I'm checking for.
I'm not advanced enough in my programming ability to implement a true
multi user envriomnent where user1/pass1 is different from user1/
pass2

>
>
> -TG
>
>
> ----- Original Message -----
> From: Jason Pruim <japruim@raoset.com>
> To: "TG" <tg-php@gryffyndevelopment.com>
> Cc: "PHP General List" <php-general@lists.php.net>
> Date: Fri, 14 Mar 2008 13:00:11 -0400
>
>> On Mar 14, 2008, at 12:51 PM, TG wrote:
>>
>> The username's will be unique... Still need to make that change to
>> the
>> DB but they will be.
>>
>> The main reason I'm doing it this way, is if I don't put in some kind
>> of a check on the authentication then it pops up a mysql error saying
>> that there is a problem with my syntax... instead of NOT logging
>> them
>> in... So I thought if I checked to make sure that the query only
>> returned 1 row, it would match up and I could do some error checking
>> based on that...
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@raoset.com

14/03/2008, 20h56	#2
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] Is this the best way? On Mar 14, 2008, at 1:44 PM, TG wrote: > > What error are you getting? Maybe there's some way to fix that too. The error I get without checking the row count is this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by LName' at line 1 > > > Just remember that errors and notices are like pain. It usually means > there's something wrong. If you're getting an error, there may be a > better > way of doing waht you're doing. > > Ideally, you should get zero results if there's no match in the user > database. > > Typically for a user lookup, you might do something like this: > > SELECT <whatever> FROM usertable WHERE username = '<username>' AND > password = > '<password>' Which is very simular to what I have: $loginQuery = "SELECT * FROM current WHERE loginName='".$user."' AND loginPassword='".$password."' LIMIT 0,1;"; $loginResult = mysqli_query($link1, $loginQuery) or die("Wrong data supplied or database error" .mysqli_error($link1)); > > > If you get zero results, then they don't exist OR they entered the > wrong > password. > > If you get more than one result, then you have a duplicate account. > > If you have duplicate usernames, then you won't get multiple matches > unless > the passwords are also duplicated. > > Say, for example, you have a duplicated username but different > passwords: > > user: me > pass: pass1 > > user: me > pass: pass2 > > > Then login will succeed if they use me/pass1 OR me/pass2 but each > way, > you'll still only get one result from your db query. > > > btw.. before someone rails me for not mentioning security... > typically you'd > store the passwords encrypted or hashed (one-way md5 or something) > then you > encrypt or hash the password the same when the user is logging in and > compare them to the DB. That way, you don't store the password in > plaintext and you can still check to see if the right password is > entered. Which I have complete with some $salt added > > > > example: > > user: me > pass: pass1 > md5(pass1): laksro2i3 (fake md5.. lazy > > user logs in with: > > user: me > pass: pass1 > > system runs md5(pass1) and gets laksro2i3 again. it matches what's > in the > DB, so therefore is the correct password. > > > Anyway.. main point is.. if you're getting errors, try to fix > them. If > you're getting multiple results on your user check, you may have bad > input/uniqueness checking or you may be implementing your user > system not > as logically as you could. It was the error, rather then multiple accounts that I'm checking for. I'm not advanced enough in my programming ability to implement a true multi user envriomnent where user1/pass1 is different from user1/ pass2 > > > -TG > > > ----- Original Message ----- > From: Jason Pruim <japruim@raoset.com> > To: "TG" <tg-php@gryffyndevelopment.com> > Cc: "PHP General List" <php-general@lists.php.net> > Date: Fri, 14 Mar 2008 13:00:11 -0400 > >> On Mar 14, 2008, at 12:51 PM, TG wrote: >> >> The username's will be unique... Still need to make that change to >> the >> DB but they will be. >> >> The main reason I'm doing it this way, is if I don't put in some kind >> of a check on the authentication then it pops up a mysql error saying >> that there is a problem with my syntax... instead of NOT logging >> them >> in... So I thought if I checked to make sure that the query only >> returned 1 row, it would match up and I could do some error checking >> based on that... > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424-9337 www.raoset.com japruim@raoset.com